Skip to main content

ConnectWise Security Roles & Tools

This article provides a definitive guide with recommendations for both the most secure, limited access (Least Privilege) and options for enhanced functionality by granting higher-level permissions.

ConnectWise permissions overview

Use this guide when creating the Security Role for a ConnectWise Manage API Member that will be used with Hatz. ConnectWise permissions control what the API Member can read or change, and Hatz will never be able to access data that the API Member cannot access in ConnectWise.

Important: Use a dedicated API Member for Hatz. Do not reuse a personal administrator account. Start with only the workflows you plan to use, then add permissions later if needed.

Sell-AI sync vs. ConnectWise MCP

Sell-AI PSA sync only needs read access to companies and contacts. If you are only connecting ConnectWise for Sell-AI customer import, follow the read-only setup in the ConnectWise PSA sync article.

ConnectWise MCP actions can support broader service desk, schedule, time, project, sales, procurement, and agreement workflows. Those workflows require the corresponding ConnectWise Security Role permissions below.

Recommended permission levels

ConnectWise Security Roles usually expose Add, Edit, Delete, and Inquire levels. Use None for anything you do not want Hatz to access. Use My when the API Member should only work with records it owns or is assigned to. Use All when Hatz needs to search, report on, or update records across the workspace.

Read-only discovery and lookup permissions

  • Companies - Company Maintenance: Inquire All for company lookup, customer matching, and ticket/company association.

  • Companies - Contacts: Inquire All for contact lookup and customer context.

  • Service Desk - Service Tickets: Inquire My or Inquire All, depending on whether Hatz should only see assigned tickets or all tickets.

  • Service Desk setup/catalog permissions: Inquire access for boards, statuses, types, and subtypes so Hatz can validate ticket fields before creating or updating records.

  • System - Member Maintenance: Inquire All if Hatz needs to identify technicians, owners, or assignees.

  • Time & Billing catalogs: Inquire access for work types and work roles if Hatz will read or create time entries.

Service desk actions

  • Tickets: Grant Add and Edit on Service Tickets only if Hatz should create tickets, update summaries/statuses/priorities, assign owners, close tickets, or update company/contact references.

  • Ticket notes: Grant the note permissions required by your ConnectWise role model if Hatz should add internal analysis, detail, or resolution notes.

  • Delete: Keep Delete set to None unless Hatz Support explicitly confirms a workflow that requires it. Hatz adds extra confirmation friction before destructive actions.

Scheduling, time, and billing-sensitive workflows

  • Schedule Entries: Grant Inquire/Add/Edit only if Hatz should create or update dispatcher schedule entries.

  • Time Entries: Grant Inquire/Add/Edit only if Hatz should create or update time entries. Time entry writes are billing-sensitive and should be tested with a limited role before broad rollout.

  • Agreements and Agreement Additions: Grant read access for agreement lookup. Add/Edit should be limited to users who intentionally want agreement automation, because agreement changes can affect billing.

  • Expenses and Purchase Orders: Grant write permissions only for approved billing or procurement workflows.

Projects, sales, procurement, and configurations

  • Projects and Project Tickets: Grant Inquire/Add/Edit if Hatz should read project records, update project tickets, or work across project phases.

  • Sales Opportunities and Activities: Grant Inquire/Add/Edit if Hatz should search, update, or create sales records or activities.

  • Configurations: Grant Inquire for device or asset context. Add/Edit is only needed if Hatz should create or update configuration items.

  • Products and Catalog: Grant Inquire for product lookup. Add/Edit should be limited to workflows that intentionally manage procurement records.

  • Documents: Grant access only if Hatz should attach files to ConnectWise records.

Actions Hatz blocks or escalates

Even if the API Member has broad ConnectWise permissions, Hatz applies additional safety checks:

  • Hatz does not write to Members, Invoices, setup catalogs, locations, departments, user-defined-field catalogs, or system info.

  • Hatz blocks agreement fields that can retroactively affect billing, including billing cycle, application limits, one-time billing flags, and billing amount fields.

  • Hatz treats Agreements, Agreement Additions, Expenses, Time Entries, and Purchase Orders as billing-sensitive actions that require extra review.

  • Delete actions require explicit confirmation and should remain disabled in ConnectWise unless an approved workflow needs them.

Troubleshooting 401 and 403 errors

  • 401 authentication failed: Re-check the Company ID, Public Key, Private Key, Client ID, and ConnectWise URL. The Company ID is the sign-in company code, not a numeric company record ID.

  • 403 access denied: The API Member is valid, but the Security Role does not allow the requested operation. Check the module and permission level for the workflow that failed.

  • Partial results or missing fields: Add read permissions for the related lookup records, such as companies, contacts, members, boards, statuses, work types, or work roles.

Setup checklist

  1. Create a dedicated API Member in ConnectWise Manage.

  2. Create a Hatz-specific Security Role.

  3. Start with read-only company/contact/ticket lookup permissions.

  4. Add workflow-specific write permissions only for actions you want Hatz to perform.

  5. Generate a Public Key and Private Key for the API Member.

  6. Connect in Hatz and test a small workflow before expanding permissions.

Reference

ConnectWise API keys and API Member setup: ConnectWise API Keys and API Logs Tabs

Did this answer your question?